Business Associates
Purpose of Business Associate Agreements
Any person of company that is a Business Associate is required to sign a contract with special language mandated by the privacy rules. Business Associate Agreements (BAA) assist UT Health San Antonio in protecting our patients’ health information when it is released to someone outside our organization.
Definitions:
- Business Associate: A Business Associate is a person or entity to which UT Health San Antonio discloses protected health information so that the person/entity can carry out, assist with the performance of, or perform a function or activity for UT Health San Antonio.
- Protected Health Information (PHI): A patient’s or participant’s (in the case of research) health information that identifies the person or can be used to identify the person.
Business Associate Test:
- Is UT Health San Antonio disclosing PHI?
- Does the recipient of the PHI provide a service to, for, or on behalf of UT Health San Antonio?
If the answer to both of the above questions is “yes”, you may have a relationship that requires a business associate agreement.
Not Business Associates
- UT Health San Antonio Workforce: Employees, faculty, residents, students
- Health care workers providing treatment
- Providers with staff privileges at the institution
- Labs
- Individuals or companies with very limited and incidental exposure to health information, such as telephone company, electrician, etc.
- Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
Potential Business Associates
- Lawyers
- External auditors or accountants
- Professional translator services
- Answering services
- Consultants hired to conduct audits, perform coding reviews, etc.
- Accreditation agencies
- Shredding and/or documentation storage companies
- Data processing firms or software companies that may be exposed to or use PHI
- Medical transcription services, even if you contract with an individual rather than a company
- Medical equipment service companies handling equipment that holds PHI
- E-prescribing gateways
- Health information organizations
Process for Completing a Business Associate Agreement (BAA)
Department Responsibilities
- Determine when services, functions, or activities are being provided by a vendor, person, or company and in the provision of those services patient health information is being shared
- Ensure BAA is in place prior to services being provided
- Prepare a description of the “purposes for the sharing of PHI” to be included in the BAA
- Contact the Purchasing Department at buscontracts@uthscsa.edu or (210) 562-6203 for assistance in completing the BAA
Purchasing Department (Manager for Contract Administration) Responsibilities
- Complete the BAA for signature
- Assess need for review by the Legal Office and/or the Institutional Compliance & Privacy Office
- Ensure BAA is signed by the vendor and the appropriate institutional signatory authority
- Maintain the original signed BAA
Process for Termination or Non-Renewal of a Contract with a Business Associate
When the institutional data is stored/maintained by the business associate, the following steps will be required
- The department will notify the Purchasing Department, Manager for Contract Administration, to assess the contract and BAA terms
- The Purchasing Department, Manager for Contract Administration, will assess the need for review by the Legal Office and/or the Institutional Compliance & Privacy Office
- The department will ensure the return or destruction of data providing confirmation to the Purchasing Department, Manager for Contract Administration
- The Purchasing Department, Manager for Contract Administration, will maintain that confirmation with the BAA. If it is not feasible to return or destroy, the BAA will continue to extend the protections to limit further use or disclosure by the business associate